Date: Thu, 29 Jun 2017 16:39:55 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r320473 - head/usr.sbin/bsdinstall/scripts Message-ID: <201706291639.v5TGdtQs092610@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills (ports committer) Date: Thu Jun 29 16:39:55 2017 New Revision: 320473 URL: https://svnweb.freebsd.org/changeset/base/320473 Log: Add hardening menu item for security.bsd.see_jail_proc Approved by: allanjude Differential Revision: https://reviews.freebsd.org/D11283 Modified: head/usr.sbin/bsdinstall/scripts/hardening Modified: head/usr.sbin/bsdinstall/scripts/hardening ============================================================================== --- head/usr.sbin/bsdinstall/scripts/hardening Thu Jun 29 14:44:17 2017 (r320472) +++ head/usr.sbin/bsdinstall/scripts/hardening Thu Jun 29 16:39:55 2017 (r320473) @@ -38,13 +38,14 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ 0 0 0 \ "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ - "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ - "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ - "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ - "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ - "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ + "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ + "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ + "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ + "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ + "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ + "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -54,6 +55,9 @@ for feature in $FEATURES; do fi if [ "$feature" = "hide_gids" ]; then echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + fi + if [ "$feature" = "hide_jail" ]; then + echo security.bsd.see_jail_proc=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "read_msgbuf" ]; then echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706291639.v5TGdtQs092610>